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This document defines a new method of reliability predict! on for 
complex systems. The method involves calculation of both upper and 
lower bounds, and a procedure for combining the two to yield an 
approximately true prediction value. Both mission success and crew 
safety predictions can be calculated, and success probabilities can 
be obtained for individual mission phases or subsystems. Primary 
consideration is given to evaluating cases involving zero or one 
failure per subsystem, and the results of these evaluations are then 
used for analyzing multiple failure cases. Extensive development is 
provided for the overall mission success and crew safety equations 
for both the upper and lower bounds. Sufficient explanation of 
individual phase and subsystem equations is given so that their 
deviations can be determined easily by the reader. 
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ABSTRAC T 

THIS DOCUMENT DEFINES A NEW METHOD OF RELIABILITY PREDICTION FOR 
COMPLEX SYSTEMS. THE METHOD INVOLVES CALCULATION OF BOTH UPPER AND 
LOWER BOUNDS, AND A PROCEDURE FOR COMBINING THE TWO TO YIELD AN 
APPROXIMATELY TRUE PREDICTION VALUE. BOTH MISSION SUCCESS AND CREW 
SAFETY PREDICTIONS CAN BE CALCULATED, AND SUCCESS PROBABILITIES CAN 
BE OBTAINED FOR INDIVIDUAL MISSION PHASES OR SUBSYSTEMS. PRIMARY 
CONSIDERATION IS GIVEN TO EVALUATING CASES INVOLVING ZERO OR ONE 
FAI TT JRE PER SUBSYSTEM, AND THE RESULTS OF THESE EVALUATIONS ARE THEN 
USED FOR ANALYZING MULTIPLE FAILURE CASES. EXTENSIVE DEVELOPMENT IS 
PROVIDED FOR THE OVERALL MISSION SUCCESS AND CREW SAFETY EQUATIONS 
FOR BOTH THE UPPER AND LOWER BOUNDS. SUFFICIENT EXPLANATION CF 
INDIVIDUAL PHASE AND SUBSYSTEM EQUATIONS IS GIVEN SO THAT THEIR 
DEVIATIONS GAN BE DETERMINED EASILY BY THE READER. 

FOLLOWING THE MAIN BODY OF THE REPORT, A SHORT APPENDIX IS PROVIDED 
WHICH DELINEATES THE SPECIFIC DATA REQUIRED FROM THE RELIABILITY 
ANALYSTS. THE OBJECTIVE OF THE METHOD WAS TO SIMPLIFY THE DATA 
REQUIREMENTS AS MUCH AS POSSIBLE, AND TO INCLUDE THE RESULTING 
COMPLEXITY IN THE PREDICTION METHOD ITSELF. 

A COMPUTER PROGRAM WAS DEVELOPED TO PERFORM THE CALCULATIONS 
INDICATED BY THE EQUATIONS. TO OPTIMIZE COMPUTER UTILIZATION, THE 
PROGRAM DEVIATES FROM THE TEXT WITH RESPECT TO THE SEQUENCE OF THE 
MATHEMATICAL OPERATIONS . AN EXPLANATION OF THE PROGRAM IS A . 

SECOND APPENDIX TO THIS REPORT. A SAMPLE OF THE COMPUTER 
OUTPUT IS A THIRD APPENDIX. 
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RELIABILITY PREDICTION METHODS FOR THE APOLLO SPACECRAFT 
SUMMARY 


The complexity of the Apollo Spacecraft and missions has necessitated 
a reevaluation of methods for prediction of reliability. It has been found that 
exact analytical methods are either difficult to define or so detailed or com- 
plex that they cannot readily be used. Some degree of success in performing 
predictions has been achieved through the use of simulation models (Monte 
Carlo techniques). However, these have proved excessively expensive, 
particularly when very high overall reliabilities are involved. This is 
because the degree of accuracy is dependent on the number of simulation 
trials, and a greater number of trials is required for the same degree of 
accuracy for high reliabilities than for lower reliabilities. 

As a result of these limitations, attempts have been made to calculate 
reliability prediction numerics by using approximate analytical methods. 
Some of these approximate methods involve calculation of only a lower 
bound, and provide sufficient proof that the true prediction number is higher 
than the calculated number. How much higher, however, has been difficult 
to determine, even approximately. The original method used by S&ID over- 
came this difficulty by calculating both an upper and a lower bound and, by 
an empirical method, computing an approximately true value. The upper 
bound was found by subtracting failure cases from unity, while the lower 
bound was found by adding success cases. All calculations were performed 
using desk calculators and manual methods, with the resulting limitation 
that only simple success and failure cases could be considered. This led 
to considerable differential between the two bounds. An important advantage, 
however, was the ability to detect inconsistencies and anomalies in the input 
data and secure rapid correction. 

Since development of the previous approximate analytical method, 
further expansion of the techniques has been made so that p 11 cases can be 
considered. This was made possible through thorough evaluation of both 
the original input and output numerics and determination of error magnitudes 
that could result from the approximations necessary for considering cases 
involving multiple failures. More exact calculations are used for zero ind 
one -failure cases, resulting in consideration of a higher percentage of the 
total number of cases. The number of multiple -failure cases is thereby 
reduced to a level where the simplifications used would not significantly 
affect the overall results. The modifications, greater exactness, and 
expanded number of cases led to utilization of a computer program to 
perform the numerical operations, while still permitting visual (manual) 
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evaluation of input data. Thu current methods apply to calculation of crew 
safety probability and also provide for determination of mission and crow 
loss probabilities by individual subsystem or phase. The computer per- 
forms essentially the same calculations described here, although the order 
is sometimes varied to facilitate optimum computer utilization. 


MISSION SUCCESS - UPPER BOUND 

The upper bound of the reliability prediction range for mission suc- 
cess is found by considering failures and, in effect, subtracting these from 
unity. Only series elements in the mission continuation logic diagrams are 
considered. Mission success occurs when no series element fails in any 
subsystem in any phase of the mission — that is, the probability of mission 
success is the product of the reliabilities of all series elements. Element 
reliabilities are first combined into subsystem reliabilities from which the 
mission success probability is calculated. 


J=m 

i=n 

R iuc: = n R. . 
MS l, j 

i=l 

j=l 
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where 


r ms 

is the 

R, . 
i* J 

is the 

m 

is the 

n 

is the 


probability of mission success; 
reliability of subsystem i in phase j; 
number of phases; and 
number of subsystems 


An exponential model (constant failure-rate system) is assumed except 
for single -shot components. This approach is realistic because components 
are pretested and then operated within their normal useful life. It also 
facilitates calculations by making possible the suitable combination of 
reliabilities of various components. The exponential model is also used 
in all other predictions discussed in this report. 
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MISSION SUCCESS - LOWER BOUND 


The lower bound for probability of mission success is found by adding 
success cases. It can be easily shown that for Apollo mission phases, when 
three or more possible paths exist, the resultant failure probability of the 
redundc.nt components is less than 1 x 10“° in all cases of current configura- 
tions. Therefore failure probabilities of components in such parallel paths 
are not included in the computation. All other components are included. 


The success cases considered are those in which no failure occurs in 
any included component and those in which not more than one non-series 
..omponent fails. Assuming the following simple logic diagram for one 



the probability of mission success is found by adding the probability of no 
failure of any component (A through F) to the sum of the probabilities of 
a failure of any one non-series component (C through F), the other com- 
ponents not failing. 
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whore 

i is the reliability of component k of 
* subsystem i in phase j; 

j is the probability of failure of a non-series 
’ component of subsystem i in phase j; and 

j is the reliability of the non-series component. 


Since R^. ^ = e 1 '^ where is the probability of failure of any included 

component in subsystem i in phase j; 



+ S 


Q ±l) 

R Ks) 


However, R&^ ^ is frequently very close to unity for any one phase, and may 
then be omitted from the calculations giving the result: 


R. .r 
i. J 



( 2 ) 


Equation 2 is referenced later in this report, and its derivation is 
important to the analyses. When R£ is greater than 0.999, as is almost 
always true, Equation 2 is exact. The equation facilitates the rapid sum- 
mation of individual component failure probabilities with minimum calculat- 
ingtime. (When R^ is less than 0.999, it is used in the calculation of 
Equation 2. Equation 2, as shown, will be used in this report, remembering 
that Rj. is considered in the calculations, when appropriate. ) 

subsystem-phase reliabilities are combined to obtain the overall 
mission success probability. Only one non-series failure per subsystem is 
considered, although any number of subsystems may have a failed component. 
The following notations are used for simplification: 
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(3) 


The probability of no failures in subsystem i in phase j is: 


i.j 


(4) 


and the probability of exactly one non-series failure is: 


-F. . 
l » J 


X F. 


l * J 


(5) 


NOTE: In the lower bound case calculations, 

F includes both series and parallel 
components. 

Since only one failure per subsystem is considered in the mission, 
the reliability of a subsystem is calculated by summing the probability of 
zero failures and all cases of the probability of one non-series failure. 
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NOTE; To simplify calculations, the original 
phase logic diagram associated with 
each phase is retained although it is 
recognized that a failure of a non- 
series element in one phase slightly 
modifies the logic diagrams for suc- 
ceeding phases. This aoproach is 
conservative because actually fewer 
components need be considered in 
phases subsequent to the failure. 


. . J h ® re * iabili ty of the system is the product of the reliabilities of all 

individual subsystems (from Equation 6): 11 
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A small increment of mission success, ARw C 
This is obtained from Equation 35. 


is added to Equation 7. 
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It has been found empirically that an approximate!/ true value of the 
failure probability can be obtained by taking the square root of the product 
of the upper and lower values of the probability of failure. From this, it 
follows that 


MS 
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^( l ~ ^s) x f 1 " r ms) 


upper 


lower 
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(fromEq. 7) 


(from 
Eq. 35) 


NOTE: F in R 


considers only series components; 

upper 


F in R 


considers both series and parallel components. 

lower 


CREW SAFETY - UPPER BOUND 

The upper bound for crew safety is the sum of the probabilities of 
mission success (MS) and all possible safe aborts (SA) resulting from the 
failure of a series component. 

R CS = R MS + R SA (9) 

As in the case of the mission success upper bound, it is actually found by 
considering failures and the probabilities of their not occurring. 

The probability of a safe abort is the product of the probability that 
an abort is required times the probability that it is successful. As a very 
close approximation, an abort is considered to take place at an average time 
of half way through the phase in which it is necessitated. (The greater the 
number of phases and the shorter each phase, the closer the approximation.) 
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Each abort case is calculated as a mutually exclusive event, thereby 
permitting the simple addition of all abort cases considered. An abort case 
is computed by taking the product of the following terms: 


a. The probability of mission continuation (MC) for all subsystems 
up to the phase in which the abort occurs, (no series failures), 

b. The probability that all subsystems except the one that failed 
perform satisfactorily for an average time of one -half of the phase 
in which an abort is required. 

c. The probability that, in the phase, the subsystem under consider- 
ation incurs a failure that requires but does not preclude an 
abort — i. e. , failure of a component that is in series in the MC 
logic diagram but is not in series in the SA logic diagram. 

d. The probability that ail subsystems except the one that failed 
perform satisfactorily during the abort — i. e. , no failure of a 
series component in the normal abort logic diagram. 

e. The probability that the failed subsystem performs satisfactorily 
during the abort— that is, incurs no failure of a series element 
in the modified abort logic diagram. The series elements in the 
modified diagram include the original series components plus the 
average number of additional components which become series 
elements as a result of the failure which occurred in the mission. 


The terms a through e are found as follows: 

a. Reliability of all subsystems up to phase of abort 


phase-1 

= ft' R. • 

i=l i.j 

j=i 


phase-1 
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i=l i,J 

- S' 


( 10 ) 


Derivation of this equation is the same as that for Equation 1. 


- 9 - 


SID 66-744 


NORTH AMERICAN AVIATION, INC. 


NPAC'K and 1NKOHMATION HYHTRMH DIVIHION 


b. Probability that all other subsystems perform for one -half of 
abort phase 
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c. Probability that subsystem n fails in phase j 


R . X F . 
n, J n, j 


- £f . 

= e n,J XF' . 
j=abort phas^ ^ 


( 12 ) 


Derivation of this equation is similar to that for" Equations 2 and 
5, except that represents failures of subsystem n that require 
but do not preclude an abort, and the average time of abort is 
half way through the phase. 

d. Probability that all other subsystems perform satisfactorily in 
abort 
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i, j, abort 


ft^i, j, abort 
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where G^ j is the failure probability of subsystem i in abort In 
phase j. 

e. Probability that subsystem n performs satisfactorily 

in abort = R^, j, abort = e’ G n, j where G,' lf j is the modified 
failure probability of subsystem n, ( = G n( j + AG nt j). Therefore, 


R' . . = e 

n,j, abort - 


-(G . + AG .) 

n, j n.j 


(14) 


Equations 10 through 14 are multiplied together to obtain the proba- 
bility of safe abort of one subsystem in one phase. 

, phase-1 
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(15) 


When the abort is caused by failure of the Service Propulsion System 

(SPS) in the mission, another abort method may be used, depending on the 

mission. This may result in a changed abort logic diagram for the Service 

Module Reaction Control System (S/M RCS) and, in some cases, for other 

subsystems. A new probability of failure in abort, GGi f j, is substituted 

for G^ j for the affected subsystems, where applicable, thus modifying 

Equations 13 and 15. This is done before summing Rsa- •• 

x* J 
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The total number of safe aborts is the sum of the . terms: 


m 

R SA = i^l r sa. . 
j=l l(J 


(from Equation l 6 * or modified 15) 


(16) 


The overall upper bound for crew safety is the sum of Equations 1 and 16: 


L CS 


= R 


upper 


MS 


upper 


+ R 


SA 


upper 


(9) 


CREW SAFETY — LOWER BOUND 


The most complex case is the lower -hound prediction of crew safety. 
The major reason for this complexity is the inability to account analytically 
for cases of multiple failures. Although analytical models and computer 
programs have been developed to evaluate multiple failures occurring in 
one phase, the failure probabilities cannot be evaluated when they occur in 
different phases, which is many times more likely. Consequently, an 
analytical method has been developed Which provides a very close approxi- 
mation to the true answer, and which can be shown to be on the conservative 
side, thereby providing a lower bound. 

The lower bound for crew safety is found by adding the probability of 
mission success, all cases of the probability of safe abort with no more 
than one failure per subsystem in the mission and in the abort, and all 
other cases of safe abort. The first two of these probabilities are computed 
directly; the third utilizes a method of differences discussed in succeeding 
paragraphs. 

The probability of mission success is obtained from Equation 7. The 
probability of safe abort with no more than one failure per subsystem is 
calculated as the product of several probabilities. However, there is more 
complexity in these calculations than for the upper bound because, for the 
lower bound, both series and parallel components are considered, and each 
subsystem may have one nonseries failure in either MC or SA or both. 

(The system which necessitated the abort has a noncatastrophic series 
failure in MC. ) The failure permitted during abort depends on the condition 
of the system when the abort is started. 

The probability of zero or one failure up to the time of abort is cal- 
culated from a modification of Equation 7. Equation 7 defines the reliability 
for all subsystems for all phases. This is modified by summing the number 
of phases from phase one to half-way through the phase in which the abort 
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occurs, (phase - 1/2). The sum uf failure probabilities from phase ono 
through (phase - 1/2) can more easily be expressed aB the sum from phase 
one through (phase -1) plus one-half thu failure probability for the phase: 


j-abort phase -jr phase-1 

- F i i = ~r 
j-i U) j-i 


i,j T « F iJ 

j-abort phase 


Since the abort is caused by the failure of a series component in one 
subsystem, the changed equation is further modified by dividing by the 
reliability of the subsystem which failed reference Equation 11. The 
resulting expression is: 


n /phase -1 \ . 

v J -’ Jifeir * ft V + j=' F ^ +iFi ’ j i 

p x j=abort 

phase 


{ hase-1 

2 F . + i f i 
j=i n,j 2 n,j 

j=abort 

phase 


( phase -1 , 

l 1 + j=i F n,j + 1 F n,j 

' J j=abort ' 

phase 


(17) 


Subsystem n, which incurred a noncatastrophic series failure in the 
mission, had no failure up to the abort phase and no other failure in the 
phare. From Equations 10 (modified) and 12, this probability is expressed 

as: 


e 


phase -1 
-2 F 


' * 1 — A. ~ ~ ' 


j=abort phase 


(18) 


In this set of cases, each subsystem except the one which had the 
series failure can achieve a successful abort if not more than one non- 
series failure occurs in the abort. (A nonseries failure in MC does not 
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gum: rally .illuct the abort hue , hihu a parallel element in MC is at least 
tnply redundant in the abort logic.) Therefore, the probability of success 
o| these subsystems in abort is expressed byj 


n-1 

- V Q. . 

i~l UJ 

j=abort phase *1, , 

! x " * G i.j» 


n 

■ v G 
i= 1 


i, j n 

", 0 ♦ 6i.j) 


i= 1 


e ‘ n,jx n + G n j) 


(19) 


whu ru 


G i,j iH tho fniluru Probability in abort in phase j of any included 

component ol subsystem i (series or dual -parallel components); 

G is the failure probability in abort in phase j of a non-series 
component of subsy/tem i; 

G n,j is the failuro Probability in the abort of an included component 
ol subsystem n which failed in the mission; 

G is the failure probability in the abort of a non-series component 
of subsystem n. 


.?“ b ® y ® tem Which had a noncatastrophic failure in the mission, has 
a modified abort logic. This includes the original components less one or 
more parallel components no longer applicable due to the mission failure. 
The probability of a successful abort is the sum of the probabilities of no 
lailure, e n,j, and ol not more than one non-series failure (e' G n,j x G / •). 
iS ®?/ Ual . to G n,j ~ A Pn,j ^ere -AG n j accounts for the reduced proba- 
1 1 y* n,j 18 equal to G n> j - 2AG n j because not only are one or more 
components no longer applicable, but their counterparts are no longer in 

parallel. Thus, the probability of subsystem n successfully completing 
the abort is; ' r 6 


-(G .-AG .) 

n »J n,J X (1 + G . - 2AG ) 
n,j n, j' 


The probability of safe abort for the cases of not more than one failure 
per subsystem in the mission, for one subsystem in one phase, is found by 
taking the products of Equations 17 through 20; 
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SA n.j 


n /phase~l \ 

*i=i( jir, F i,j + iF i,j) " / 

' ^ j= abort ' * \1 + i ; + ^ 1 ’ 

J phase ia\ j =1 '*J 


bjy 

j a b urt 
phase 


( phase -l \ 

4 ^ 1 F n,j + i' F n,j/ / phase -1 V 

5 J j=abort X^l + il'i F n,j + •» F n I j/ 

phase J j-abort 


j~abort 

phase 


jihase -1 
S Is 


e J “ l (e 


j- abort 
pha so 


* n 
~ v G: \ 

i-i Y n 
o # , . x 

j^abort t-1 


d t Gi.j) 


phase 

L e" G, bj x (1 + G •) J 
j*abort n *J' 

phase 


|o^ G 1 n *j’ AGn *^ x (] + CJ . - 2 &G n ,)| 
' j~aborl phase n »J n *J'* 


n /phase-1 \ . . 

“AV .^i F i,j + * F i, j / n / phase-1 \ 

1*1 \ j=l /y n l 1 + £ v. • + 1 fr. . ) 

j x jzA 1 + + ^ * i.j/ 

7 phase-1 ~ > 

( 1+ j f 1 F n,j + > F nJ 


x F 


"0 


n 

-S G; 


4=1 Jl 

X i?l “ * G i.i» „ 


C 1 + G n ,j) 


xe' Ml + G n ,j -2*G ntj ) 


( 21 ) 


The probability of safe abort for these cases for all subsystems and all 

m 


phases is the sum of all Roa , 

i.j 


n 


R SA = S R SA: a 
i=l 

j=l 
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R 


SA 


m 

n 


i=l 


n Abase 1 \ . \ 

/ phase-1 , \ 

( lt jh r *j*i r +i) 


n 


n 

-23 G* i 

1= 1 TT ♦ 

e x n (i t Gi ,j) +AG . 

X F' , X : Xe n 'j X (1 + G n j - 2AG n j) 


n.j 


0 + G n.j> 


( 22 ) 


As in the upper bound case, failure of the SPS in the mission may 
cause a changed abort mode, and result in changes in the abort logic proba- 
bilities for affected subsystems. These are appropriately incorporated into 
Equations 19* 21, and 22. 

The final group of cases— safe abort with more than one failure in the 
mission in one or more subsystems — utilizes a method of differences. 
Several probabilities are considered. The sum of these probabilities is 
equal to the probability of getting to a phase so that, if any one probability 
is unknown, it can be found by taking the difference between the probability 
of getting to the phase and the sum of the other probabilities. This fact is 
used to evaluate cases of multiple failures and, ultimately, crew safety. 

The probabilities that are summed are: 

1. The probability of catastrophic failure; 

2. The probability of mission continuation; 

3. The probability of an abort with no more than one failure per 
subsystem. 

These are then subtracted from the probability of getting to the phase, and 
ail remaining cases are considered to be attempted aborts. 

1. Because the lower bound of crew safety is being computed, calcu- 
lation of catastrophic failures is performed so as to yield a probability that 
is on the high side rather than the low side. The overall probability of a 
catastrophic failure in any phase is a function of the probability of getting to 
the phase and the probability that a catastrophic failure occurs in the phase. 
Since a catastrophic failure is the failure of a component that is in series in 
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both the MC and SA logic diagrams, the probability that a catastrophic failure 
occurs in a phase is the same for both the upper and lower cases. The vari- 
able involved is the difference in the probability of getting to the phase. A 
higher probability of getting to a phase will result in a greater number of 
catastrophic failures in the phase. Therefore, when calculating catastrophic 
failures for the crew safety lower bound, the probability of getting to a phase 
is obtained from the upper bound MC model. Thi3 is found by using 
Equation 10. 

Since the catastrophic failure occurs in one subsystem and at an average 
time of one -half way through a phase, the other subsystems are satisfactory 
for this period of time. The probability of these subsystems being good is 
obtained from Equation 1 1 . 


Finally, the probability of a catastrophic failure is found by modifying 
Equation 12 to include the probability of a catastrophic failure instead of a 
noncatastrophic one. 

Probability of a catastrophic failure equals 


F 

2 n,j (F . - F # .) 

n,j n,j 

j=abort phase 


(23) 


The overall probability of a catastrophic failure for one subsystem (n) in 
one phase is the product of Equations 10, 11, and 23: 


CF, 


= ' e 


phase -1 

j=l 




n 

•iSFij 

i=l 1,J 

x\e. u * 
j=abort 

phase 


Xe + " F n.j/x| e ^ F n.j (F n _ j - F ' j) 


» e 


phase -1 
n 

-2 F* * 

Si 

j=i 


n 

•is 

1=1 

x 6 X < F n,j - Kj 


(24) 


The total probability of catastrophic failure of all subsystems in one phase 
is the sum of the individual subsystem probabilities. 
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i=l l »J i=l l ’J 


J«1 


x < F i.j - F i'.j> 


phase -1 
n 




= e 


j=i 


x e * ( F i i ~ F i (25) 

1=1 1 »J 


2. Since the crew safety lower bound is found by summing success 
cases, conservative values of mission continuation utilize lower bound 
mission success probability calculations. Equation 7 is modified by 
appropriately changing the limits of the summation. 



n 



e 


phase 

A Fi 





( 26 ) 


3. The probability of an abort in a phase with no more than one fail- 
ure per subsystem is found by summing the products of Equations 17 and 18 
for all subsystems. This is comparable to summing the terms of Equa- 
tion 21 after deleting those terms concerned with probabilities of successful 

abort. 


abort 




n /phase -1 \ . \ 

■ 2 [ 2F i 5 + iF i ;/ n / phase-1 . \ 

*2 j Z^Mi |g£gw x F . . 

/ phase ^ 1 i . \ 

f 1 + + 


(27) 


The probability of remaining abort cases per phase is found by sub- 
tracting Equations 25, 26, and 27 from the probability of getting to the 
phase (Equation 7 modified). Remaining abort cases j. 


= e 


n phase -1 
- 2 2 
i=l j=l 


F. 


i. J 



i» j 


(25). + (26). + (27) ^ 


( 28 ) 
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The question arises as to whether some of these remaining cases 
might be mission continuation cases rather than abort cases because, if 
they are MC cases, there will be some additional probability of a catastrophic 
failure in a later phase. However, the probability of catastrophic failure is 
already based on maximum probability of mission continuation (Equation 25) 
and includes ail possible cases of catastrophic failure. Therefore, for 
crew safety calculations, it is correct to treat all remaining cases as abort 

cases. 

The probability of achieving a successful abort is, of course, a function 
of the configuration of the system when the abort is initiated. Since it is not 
feasible to separate the remaining cases into groups according to which 
subsystem failure necessitates the abort (because of the complexity resulting 
from multiple failures), it is necessary to empirically determine an average 
abort logic applicable to all subsystems which will be conservative, yet not 
so conservative .as to result in an unrealistic number of abort failures. 

Two approaches are possible. The first approach is to determine a 
simple series configuration for each subsystem* This, however, is overly 
conservative because most subsystems will still have parallel capability. 

The second approach, used here, is to assume an average of two 
failures per subsystem in the mission and appropriately modify each sub- 
system abort logic. It can be shown that this is very conservative because 
most subsystems will have incurred less than two failures, and many will 
have no failures. The Poisson distribution — which applies to conditions 
in which there are many opportunities for failure but only a small probability 
of failure at any one opportunity, a typical situation for spacecraft - is 
utilized. The probabilities of zero and one failure in a subsystem are found, 
and the appropriate Poisson values are determined. From these, the typical 
average number of failures per subsystem is well below 1.0 and never above 
2.0. Therefore, the probability of successful abort for one subsystem in 
one phase (R 2^ ) is found by modifying Equation 20 to take into account 

i. j 

two mission failures. This modification is, in itself, conservative because 
it accounts for noncatastrophic mission failures which have the greatest 
effect on safe abort probability. 

-(G. . - 2 AG. .) 

R_ a . = Abort prob.. . = e * l * * x (1 + G. . - 4AG .) (29) 

SA. . i, j i, J J 
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The number of ouch safe aborts per phase is found by multiplying the 

number of remaining abort cases in the phase (Equation 28) by the probability ' 

n 

of all subsystems being successful, (II Equation 29). 


R A = 

SA. 

J 


n phase-1 
- 2 2 F. . 

i= 1 j=l l »J 



phase-1 

1 + . 2 , F 

J =1 


(25) j + (26) j + 


(27 'jl 


x n ( 29 ) 

1=1 


(30) 


The total number of such safe aborts is obtained by summing the 
number for all phases (z) in which an abort is possible. 


R A 
SA 


2 

J =1 



< 3( ” 


(31) 


In addition to these aborts, the remaining cases which occur during the 
final mission phases (return, reentry, and post landing) must be considered* 

The number of these cases is found from Equation 28 in the same manner 
as for other phases except that Equation 27 is deleted (its value is zero)* 

The probability of a successful abort, however, cannot be obtained from 
Equation 29 because there are no separate abort configurations for these 
phases. To find this probability, the mission success probability for the 
remaining mission phases, starting half-way through the phase being considered, 
is determined. This is found from Equations 7 and 26. 


R 

remain. 


n m 


R 


MS 


MC. ! 
J-2 


- 2 2 f / m \ 

* 1=1 J ' 1 ». j x (, + ?f. .) 

“l\ 3=1 ‘'V 

n phase -j 

i?! i.j n / phase 7 j \ 
e J- 1 x n (1+ 2 F. ) 

1=1 \ J=1 *.J/ 


n m 

-2 2 

i= 1 j=phase 


= e 




n / phase- j \ 

" * Zi F u) 


( 32 ) 


- 20 - 

f 

i 


SID 66-744 


) 


•NORTH AMERICAN AVIATION, INC. 


Hl'AC’K and INKOHMATIDN 8YHTKMH DIVIHION 


\ \ 


The number of successful cases is found by multiplying Equation 28 
by Equation 32 for each remaining phase. 


A 

V 


n phase -1 
-S £ F. . 




[Eq. ( 32 ) 


(33) 


The total number of these cases is the sum of the cases for these 


phases. 


m A 


rA- S rA » S . (33) 
SA j-z+l SA j j=z+l 


(34) 


R A for the post landing phase, because a successful landing has been 
SA^ 

accomplished, is considered to be mission success as well as crew safety, 
and is added into* the MS total rather than the SA total. Since the post landing 
phase is phase m, Equation 32 reduces to approximately unity and the addi- 
tional number of mission successes is found directly fr. i Equation 28 applied 
to phase m. 


AR MS = E “- (28) m 


( 35 ) 


Equation 34 is therefore modified by deleting the last phase from the 
rA total: 



m-1 

E 

j s z+l 


(33) 


(36) 


Finally, the lower bound for crew safety is found by adding the lower 
bound for mission success (Equations 7 and 35), the number of safe aborts 
when not more than one failure per subsystem has occurred (Equation 22), 
and all other cases of Safe abort (Equations 31 and 36). 


CS, 


= R 


lower 


MS. 


+ R 


lower 


SA 


lower 


R A 
oA. 


lower 


+ r A 
r SA 


lower 


(37) 


The overall crew safety reliability is found in the same manner as 
mission success reliability. 

R CS - 1 -^/(l - R cg ) upper X ^ R CsHower (38) 
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PHASE RELIABILITIES 

To determine the reliability of each phase, the upper and lower bounds 
are determined and suitably combined as shown on page 8 and by Equation 38. 
The appropriate equations are referenced below although detailed derivations 
are not presented. 

The mission success upper bound for a phase is simply e - ^^! for that 
phase as indicated in the discussion, on pages 2 and 3. The mission success 
lower bound is found by dividing the probability of getting through the phase, 
(Equation 26, j=l through phase), by the probability of getting to the phase, 
(Equation 26, j=l through phase -1). 

The crew safety upper bound index is found by subtracting failure cases 
from unity. The probability of catastrophic failure is obtained directly from 
Equation 25. The probability of abort failure is found by summing the 
probabilities of safe aborts in a phase (summation of Equation 15 for all 
subsystems in the phase) and subtracting this sum from the abort attempts. 
The attempts are found by summing the products of Equations 10, 11, and 12 
for all subsystems in the phase. The crew safety numeric obtained in this 
manner is an index rather than an exact calculation because the number of 
failures relates to the particular mission rather than to an independent phase. 

The crew safety lower bound is found in the same manner. The prob- 
abilities of catastrophic failure, abort failure with zero or one mission 
failure, and other abort failures are summed, and this sum is subtracted 
from unity. The probability of catastrophic failure is again obtained directly 
from Equation 2 5. The probability of abort failure with zero or one mission 
failure is the difference between the abort attempts and abort successes — 
Equation 27 minus the summation of Equation 21 for all subsystems in the 
phase. Finally, the probability of other abort failures is found by subtracting 
Equation 30 from Equation 28, or Equation 33 from Equation 28, as applicable. 

SUBSYSTEM RELIABILITY 

Subsystem reliabilities are found in a manner parallel to that used for 
phase reliabilities. The mission success upper bound for a subsystem is 
e'^Fj f or subsystem. The mission success lower bound is obtained from 
Equation 6. 

The crew safety upper bound index for a subsystem is somewhat more 
complex. While the probability of catastrophic failure attributed to a 
subsystem is found simply by summing Equation 24 for all phases, the abort 
failures charged to the subsystem must be further divided into aborts caused 
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by the subsystem being considered and aborts caused by other subsystems. 
When the abort is caused by the same subsystem which later causes crew 
loss, the probability of loss is the product of Equations 10, 11, 12, 13 
modified to include half the abort, and (one - Equation 14). When the abort is 
caused by another subsystem, the probability is the product of Equation 10, 
Equation 11 modified so that n represents the subsystem causing the abort, 
Equation 12 also so modified, Equation 13 modified to account for the system 
which caused the abort and for half the abort time, and (onp - Equation 14 
modified). And, if the abort is caused by failure of the SPS, suitable changes 
are made when applicable. 

The crew safety lower -bound index is found in a similai mannei , 

The number of abort failures with zero or one failure in the mission is 
determined by using Equations 17, 18, 19 and (one - Equation 20), appropri- 
ately modified. Because there is no accurate method of determining how 
many of the other abort losses are caused by each subsystem, a simple 
proportion is used. It is assumed that the percent of these losses per 
subsystem is the same as the percent of the other abort losses, and the 
probabilities are computed accordingly. 
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APPENDIX I. INPUT DATA REQUIREMENTS 

The mathematical models which were developed are an optimum 
compromise between the amount of effort that would be necessary to provide 
very accurate predictions and the degree of error and approximation that 
could be accepted without significantly affecting the prediction. Fortunately, 
the prediction methods presented herein provide satisfactory prediction 
accuracy without necessitating undue effort on the part of the analysts. The 
few approximations required from the analysts are such that they will not 
affect the overall results. 

The following inputs, on a phase-by-phase basis, are required for 
each subsystem: 

1. The sum of the failure probabilities of all series elements in MC: 

SQv.,,^ . . . where Q kw _ = \ kxit -. x t x K factor (environmental) 

k MC (series) K MC K MC 

x k factor (contingency) 

2. The sum of the failure probabilities of those series elements 
which are not catastrophic — i.e. , series m MC but not series in 
abort: 

3. The sum of the failure probabilities of the non- series elements in 

/Qr. 


MC (dual redundancy only): s / k MC - V H Rk M C is g reater than 

\ R k MC/ 

0.999> it can be neglected. 


4. The sum of the failure probabilities of all elements considered in 
MC: 2Q k MC ( total ) 

5. The sum of the failure probabilities of the series elements in 
abort: 2 Qk SA (serles) 

6. The sum of the failure probabilities of the non- series elements 


in abort (dual redundancy only): E 
than 0.999. it can be neglected. 


\ Rk SA / 


R k _ . is greater 
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7. The sum of the failure probabilities of all elements co oidei eci i»> 
aborl: *Q k gA (tQtal) 

NOTE: In an abort resulting from failure of the SPS, the abort 
configurations of other subsystems may be affected, When this 
occurs, sums 5, 6, and 7 will be changed. New sums, b, 6, 
and f, are required in addition to 5, 6, and 7, 

8. The sum of the average failure probability of additional elements 

which become sories in abort duo to one non-catastrophic series 

failure in the mission: £AQ k „ A , . This is found by 

* SA (series) 

determining the average number of additional series elements and 
multiplying by the average probability of failure in the abort. 
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APPENDIX II. NAA PROGRAM DESCRIPTION 

1. Identification 

a . Program for the Reliability Evaluation of Apollo Mission - REAM - 
1M-146 (APF146) 

b. Programmer — F» J. Moskal (7/66) 

0 . Space and Information Systems Division (NAA) 

Department 41/200-450 

2. Purpose 

REAM Is designed to generate an Upper and Lower Reliability Bound for 
Apollo Mission Success and Crew Safety. These two limits are combined 
by RMS calculations into an approximately true value. Failure pre- 
dictions and assessments are calculated on a mission phase, subsystem 
basis. 

3. Restrictions 

a. REAM is written in FORTRAN IV for use in the NAASTS System. 

b. No tapes are required. 

c. Maximum of 25 subsystems and 30 phases are allowed. 

4. Method 

a. Upper Bound Case 

Mission Suooess is determined by: 


exp < 

r *> 

i-n 

x 1 


j-i i-i 
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where la tha probability of failure In miaaion of aubayatan 

In Phaaa J 

n la tha nunber of eubayatane 
o la tha nunber of phaaaa 


Probability of aafa abort from any Phaaa J oauaed by fa ilure of any 
aubayatan 1 la formed by three factore and la givan by 
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s V,k " 
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l"n 


* 


exp < 

1-1 

> » axp < 

‘ n,k 

> 

m 
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HQII 


( 2 ) 


Factor "A" la tha "probability of getting to a phaaa" 

Factor "B" la tha "probability of non-eataatrophie failure" 

Factor "C" la tha "probability of auooeaaful abort" 

where la the probability of failure In alaaion of aub- 

ayatam 1 In Phaaa J 

p i*i la the probability of aon-oataatrophio failure In 
aleaion of aubayatan 1 In Phaaa j 
la the probability of failure in abort of aubayatan 
1 In Phaaa j 
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la the additional abort failure probability of sub- 
system i which failed during mission in Fhaaa J 
n ia the total number of aubaystema 
m ia tha phaaa in question 
k ia tha subsystem in queation 


Tha abort failura probabilities (Oj^) of various subsystems are 
aodified by tha failura in tha mission of tha SPS (Service Propulsion 
Subsystem). This modification occurs in Faotor "C" by. the replacem e nt 
of by a new term GGj^ for each affected subsystem i as shown 
below 


where 


«P 



l 1 " J 


GG^ ia tha modified abort failure probability of eub- 
syatem i due to a SPS failura in phase a 


Tha matter of oatastrophio failures of any subsystem in any phase la 
given by 


f 1 

1 
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-1 

j^a-1 Xm 




X-n 


— S - 1 I r ),i 

J-l i< 
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step < 
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i-4 

> • W 

* L ^ 
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' «■ 



^ t»Di< 
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( 3 ) 


Factor "A" la tha ''probability of getting to a phaaa" 

Fact or "D" ia tha "probability of a aubayatw cataatrophloally failing 


half way through a phaaa 


where 


Fj # i tha "probability of failure in niaaion of aub- 
ayataa i in Phaaa J" 

F * 1 is tha. "probability of non-oataatrophio failure in 
ndaaion of aubayataa i in Phaaa J" 
n ia tha total nuntoar of aubayatana 
a la tha phaaa in queation 
k ia tha aubayataa in queetion 


Tha nuaber of abort failuraa oauaad by the aaaa aubayataa. that failed 
in niaaion ia calculated from: 
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A special ease occurs when the SPS (Service Propulsion Subsystem) fails 
and is backed up by the LEM (Lunar Excursion Module). The number of 
abort failures then becomes 


AFSS. 


m,k 


exp < 


J^n-1 i«m 

•I I F 

J-l i-1 

"A" 


*\ - 


' 






i-n 


> 


exp < 

* § Z Fn »i 

i-0. 

> * K,k 

y - 


- 




(4b) 




l - «P-/- | 


itgit 


Factor "A" is the probability of getting to a phase 
Factor "B" is the probability of non-catastrophic failure 
Factor "E" is the probability of abort failure 


where i* the probability of failure in mission of sub- 

system i in Phase j 

F' . is the probability of non-catastrophio failure in 
Ji* 

mission of subsystem i in Phase J 

is the probability of failure in abort of subsystem 

i in Phase J 

is the additional abort failure probability of sub- 
system i which failed during mission in Phase J 
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00 . 4 1s ths modified abort failure probability of sub- 
system i due to SPS failure in Phaae J 
n ie the total number of subsystems 
n is the phase in question 
k ie ths subsystem in question 

The mnber of abort failures oauaed by a subsystem that did not cause 
the abort is given by 


AFDSm, W 


exp < 


j^a-1 i“*i 

*1 1*4 

JHL i-1 


"A” 



, " 

•m 

i"*l 

\ 

f 1 


i-1 

/ 

w * 



up it 


(5a) 


r 





- 

f 

-» 

exp < 

i-n 

i-1 

w J 

> * F m,k 



1 - exp < 

” ^k 

* J 

> 


"P Confc." 


- 


t!£!t 



A special ease occurs when the SFS fails. The abort failure 
probabilities of other subsystems are aodif ed and are reflected in the 
fc dewing relationship: 
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i-ei 







1 - sap < 

“ <Vk 
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«*P < 

- 1 IVi 

> * F m,r 


1 - exp < 
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i-1 
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Factor "A" ia the probability of getting to a ph iaaa 

Factor "F" is the probability of no failures of all other subsystems 

Factor "E" is the probability of abort failure 


Note that setts factors in the spsoial oass are not identified. The 
probability of no failures of all other subsystan* and the p-obability 
of abort failure are combined into one term. 


F 4 4 is the probability of failure in aission of subsystem 
3l* 

i in Phase j 

Fj^ is the probability of non-eataetrophio failure in 
aission of subsystea i in Phase 1 


7 '/ 
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°J,i ia th# probability of failure in abort of subsystem 
i in Phaae J 

is the additional abort failure probability of aub- 
aystem i which failed 1m miaoion In Phase J 
X jfl ie the additional abort failu'.*e probability of sub- 
system i due to SPS failure in Phase J 
n is the total number of subsystems 
a is the phase in question 
k is the subsystem in question 

r is the SPS subsystem 


b. Lower Bound. .. 

The mission continuation probability is given by 


HOP, 


m,n 








am 




exp -< 


> 


1 + Pj,» 

J-l 



- 




( 6 ) 


where 


F J,i 11 probability of failure in mission for all 
elements of subsystem i in Phsss J 
is the probability of failure la sissiun for aom-eertse 
elemants of subsystem 1 ia Phase J 
a is the phase la question 
n is ths subsystem ia question 
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The probability of getting through a phaae from phaae one la given by: 





n 


* 

JHl 





j-tt 

POT n - J 

exp < 

- I f j.p 



1 + 

PF*1 


l* 1 

. 


JHL J 


where Fj #1 ie the probability of failure in miaaion for all 
elenenta of aubeyatam i in Phaae J 
F, 4 la the probability of failure in niaaion for non-aeriea 
elenenta of aubayatem i in Phaae J 
m ia the phaae in queation 
n ia the total 1 number of aubayatena 

The reliability of a phaae m ia given by the quotient (from Equation 7) 

PGT 

R0PH m - Wfe W 

Not* that ROPHj - FQT 1 

The probability of getting half way through a phaae m, from phaae 1 ia 
obtained by 


m 

HAFWAT a - J 
r-i 


exp 


L 
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where 


Fj^l ie the probability o f failure In mission for All 
element a of subsystem 1 In phase J 
F. . la the probability of f Allure In mleelon for non-eeriee 
elements of subsystem 1 In phase J 
a Is the phase In question 
n Is the total number of subsystems 

The number of aborts eaused by subsystem 1 In phase J Is given by 



where F 1ti I s the probability of failure In mission for all 
elements of subsystem 1 in phase j 
t. . is the probability of failure In mission for non-series 
elements of subsystem 1 in phase j 
Fj #i is the probability of non-eatastrophlo failure In 
mission of subsystem 1 In phase J 
m ie the phase In question 
n is the subsystem In question 
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Tht prob abilit y of eafe Abort is determined from 


P8Am,k " 


i-R 

«p<- 

IHL 


iHi 

I( 1 + 6 -> 

. 1-1 


•^S^kf 


1 + ^k * 2lfi *,k 


pC) 


(Ha) 


A tpoolAl oaao occure whan the SPS f&ila. Tho Abort faille probabil- 
ltiot of mob* othor eubeyeteme ata modified. Thie modlfloAtlon la 
ahoim In tho following equation where 00 and 66 torma replaoea 0 and 6 


if applicable. 


«**k" 


exp ! 


-St I 


«p<^k! 


1 + <% f k " 2aG M 


(lib) 


whore Q J#1 







n 


la tho probability of failure In abort for all 
element* of eubeyatem 1 In photo j 

la the probability of failure in abort for all non-eeriee 
elemantaof eubeyatem 1 in phaae J 
la the additional abort failure probability of eub- 
eyatem i whleh failed during mieeion in phaae j 
are the modified abort failure probabllitiee of eub- 
eyatem i duo to SPS failure in phaae J 
ie the total nuaber of aubayatema 
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■ la the phaaa In quaation 
k ia tha aubayat«i in quaation 

Tha nuariaar of aafa abort* par aubayatao In any phaaa la glvan by tha 
product of tha two valuaa Juat calculated 

[w»m,k] 

where a la tha phaaa In quaation 

k ia tha aubayataa in quaation 

Tha contribution of aultipl* failure* of all other aubayataa* to erow 
fatality in tha abort aoda ia given by 


»*a,k 


«* P<j 

i*n 

■ Ia 

iHL 

k. 

i 

l( l + Ai) 

- 

exp < 

[- <kkj] [( x + Ak) 



( 13 ) 


where 




n 

a 

k 


la tha probability of failure in abort for all 

alaaonta of aubayataa i in phaaa J 

ia tha probability of failure in abort for all non- 

aeriaa alaaonta of aubayataa 1 in phaaa J 

la tha total mafear of aubayataaa 

ia tha phaaa in quaation 

ia tha aubayataa in quaation 
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The number of abort fatluraa cauaad by tha aana eubayate» that failad 
In ndaalon la determined from 


AFSS n,k " HAfVAY a 


F/ 


1 + 


jbJl 

f + i Vk 

\ 3-1 


1 " 


IIQM 


"H" 


(14a) 


!-«*< - °a,k- AG n,l 


1 + °k,k ’ 2AG a,k 


A apeoial oaaa occura when tha SPS faila tha abort failure 
probabilities of aoaa other eubayetma are nodifad. Thia modification 
ia illuetrated in tha following aquation 


AFSSa^ - HAFWAY tt 



1 - mfam-k 


"H" 



(14b) 
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FMtor "G" it tht probability of getting halfway through a phaat 
(Equation 9) 

Factor "H" it tht probability that ont half tht multiple failurtt 
mill bt fatal to tht or am (from Equation 13) 


ohm 0 J(1 

it tht probability of failure in abort for all 
elmoanta of subsystem i in phatt J 

®J.t 

it the probability of failure in abort for all non-ttrita 
tlamanta of subsystem i in phaat J 


it the additional abort failure probability of sub- 
system i which failed during mlaaion in phaat j 

F l,l 

it the probability of failure in mission for non-aeriee 
elamantt of subsystem 1 in phaat J 

F j,l 

it the probability of non-catastrophio failure in 
mission of subsystem i in phaat J 


art the modified abort failure probabilities of sub- 
system i due to a SPS failure in phaat J 


Tht nuabtr of abort failurtt oauttd by a tubiystam that did not oautt 
tht abort it given by 
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^ ^ i — j=r“ - -3=“ 

" s " \ 1+ + 1 + + i f «.i 


i— -W ^ 


A special cut ooeurs whan tha SFS fails. Tha abort fallura 
probabilitiaa of sons other subsystem are modified as shown below 


1 - MFAMm v 

- K*rw« u i- j — 


\t-n p t 




w \ 1+ 


1-axp^-Gtau 




Factor "0" la the probability of getting halfsay through a phase 
(Equation 9) 

Factor "H" ia the probability that ona half of the multiple failuraa 
bo fatal to the crow (from Equation 13) 

io the probability of failure in abort for all 
dementi of eubsyataa i in phase J 
is the probability of failure in abort for all non- 
seriea aloMcta of aubaystea i in phase j 
ia the 9 /ULiiMMl abort failure probability of eub- 
ayatea i shidh failed' during aiaaion in phaae j 
ia the probability of failure in aiaaion for non-seriea 
eleewnta of aubayatem i in phaae J 
ia the probability of non-oataatrophio failure in 
aiaaion of aubsyatsa i in phase 1 
are the rodified abort failure probabiUtiee of sub- 
ayatea i due to a SPS failure in phase J 

The approxlaate true talus of the failure probability ia obtained by - 
taking the square root of the product of the upper and loser ealuee of 
the probability of failure 

MB-l-i/(l-»> (1-MCP) 

V (Iq. 1) (>q. *) 


share 


°j.i 

®j.i 




p j,i 


»j,i “ 4 
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5. Input Data 

Card NO. 1 Comments 

Program data description from this oard la printed at the tope of each 
output page. Comments, program titles , test block number, date, etc. 
may occupy columns 1 — 00. Centering the oonttent on the oard will 
center the eoonent on the output page. 

Card No. 2 Data Slse 

o.o. 

11 - 12 Number of Phases (right adjusted) 30 marliwim 

23-24 Number of Subsystems (right adjusted) 25 marl mum 

Card Group NO. 3 Subsystem Names 

Subsystem name abbreviations are written one on eaeh oard in 
columns 1-12. There should be a subsystem name oard for each sub- 
system and should be queued In the same order as the Input data. 

Card No. 4 Control 

c.c. 

1-60 Must contain all 9'a 

This card separates the subsystem name oards from the upper bound 
Input data oards. 

Card Group NO. 5 Upper Bound Data 
o.o. 

1-12 Mission Failure Probability 

13-24 Abort Failure Probability 

25 - 30 Mission Failure Probability (non-oataetrophic) 
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31 - 36 Additional Abort Failure Probability 

37 -A 8 Modified Abort Failura Probability (SpS Failure) 

73 SPS Backup Indicator 

1 for RCS 

2 for UM 

74 - 76 Phaao Nuaber (right adjusted) 

77 - 80 Subayatan Nuaber (right adjueted) 

Thara ahould ba a card for each eubayatem In each phaaa. The oarda 
aay ba in any order* 

Card No. 6 Control 

o.o. 

1-80 Hunt contain all 9’a 

Th l# card aeparatee the upper bound data from the lower bound data. 

Card Group No. 7 Lower Bound Data 
o.o. 

1-8 Hlaaion Failura Probability All Elananta 

9-16 Hlaaion Failura Probability All Non-Serloe Elananta 

17-24 Abort Failura Probability All ElManta 

25 - 32 Abort Failura Probability All Non-S erica Elananta 

33 -40 Hlaaion Failura Probability Non-Cataatrophio 

41-48 Modified Abort Failura Probability 

49 - 56 Modified Abort Failura Probability 

57 - 64 Additional Abort Failura Probability 

73 SPS Backup Indicator 

1 for RGB 

2 for USC 

m 

Sin 


44 


74 - 76 Pbaas Nunber (right adjuated) 

77 - 80 Phaae Nisnbar (right adjusted) 

There should bs a card for oaoh subsystsa in saeh phaao. Ths card 
any bs in any order. 

Card No. jB . Control 

Thin card terainatee the data road. 

6. Apptndioaa 

Appendix I - Dock Setup 
Appendix II - Sample Data 
Appendix in - Saaplet Output 
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FORTRAN WORK SHI 


DICK NO. 


PROGRAMMER 


FOR PROGRAM NO. 


TITLE 







I WORK SHEET 


Appendix 11 


DAT! 


PAGE 


Of 


JOB NO. 















MISSION EVALUATI O N SAMP L E DATA 

INPUT DATA LONER BOUND CASE 
PHASE 1 



MISSION EVALUATION SAMPLE DATA 

INPUT OATA LONER BOUND CASE 
PHASE 2 
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MISSION EVALUATION SAMPLE DATA 

OUTPUT DATA LOWER ROUND CAS 



MISSION EVALUAT ION SAMPLE DATA 

OUTPUT DATA LONER BOUND CASE 




MISSION EVALUATION SAMPLE OAT A 

OUTPUT DATA LONER BOUND CASE 



PHASE RELIABILITY OF PHASE CREH SAFETY INOEX BF PHASE 

LOWER BOUND UPPER BOUNO RMS VALUE LOWER BOUND UPPER 6QUND RMS VALUE 



MISSION EVALUATION SAMPLE DATA 

OUTPUT OAT A *MS CALCULATIONS 



mSS I ON EVALUATION SAMPLE DATA 

OUTPUT OAT A A NS CALCULATIONS 




